Last post of the year! Happy New Year peoples. Hope everyone’s holiday/break has been restful. I’m going to take a short break for the rest of the year and be back for Week 1 2017 😉

SOFTWARE UPDATES

• Michael Hale Ligh has announced the release of Volatility 2.6.
  “This release improves support for Windows 10 and adds support for Windows Server 2016, Mac OS Sierra 10.12, and Linux with KASLR kernels. A lot of bug fixes went into this release as well as performance enhancements”. It can be downloaded from GitHub.
  The Release of Volatility 2.6
  
  
• Didier Stevens updated his PDF-Parser Python script to version 0.6.7, adding the -k option “to search for keys in dictionaries”.
  Update: pdf-parser Version 0.6.7
  
  
• Cellebrite updated UFED PA to v5.4.6 however they haven’t uploaded the release notes. Digital Forensics Corp explains that the update fixes a few issues.
  UFED Physical Analyzer V. 5.4.6 Is Available Now
  
  
• Paraben Corporation announced the release of E3:Universal, E3:DS, and E3:P2C Aurora edition 1.1, improving Android, iOS backup and Twitter support, as well as other improvements.
  E3 Aurora Edition 1.1 Released
  
  
• GetData updated Forensic Explorer to v3.9.7.6140 with various bug fixes and minor updates.
  23 Dec 2016 – v3.9.7.6140

SOFTWARE/PRODUCT RELEASES

• A couple weeks ago I published my RegRipper GUI Perl script but forgot to mention it here. As opposed to the already existing RegRipper GUI, this one will automatically run the selected plugin as long as the registry files are found in the selected directory. As a suggestion, don’t select the plugins that run on all plugins (ie: regtime) as the program will loop through each registry file listed in the plugin. Also, the registry files are required to be named as one would expect, so if you’ve renamed them they won’t run properly. You can get the script here.
  
  
• Matt Graeber “wrote a parser to pull out ELAM driver approved anti-malware signer info” and released it on GitHub.
  Check Out @mattifestation’s Tweet
  
  
• Joshua Trombley at OpenSec Labs has produced a handy script to automate the installation of Volatility on Win10’s Ubuntu subsystem.
  Volatility on Ubuntu on Windows 10
  
  
• Not exactly a new release, but Matt Suiche has released the source code for Hibr2Bin (version 3.0) on GitHub. Many people would know of Hibr2Bin’s companion utility, Dumpit, which is one of the main players in RAM acquisition.
  Hibr2Bin

PRESENTATIONS/PODCASTS

• Joshua James has posted a couple of videos on how to create Linux VMs using VirtualBox.
  [How to] Installing and updating Linux in Virtualbox
  
  
• Yuri Gubanov has released a video on Forensic Focus showcasing Belkasoft’s Evidence Center 2017 v.8.3. The transcript and video can be found below.
  Webinars – 2016 Sneak Peek Into Belkasoft Evidence Center v.8.3

• Lee Reiber talks about isolation of mobile devices. Lee explains that some of the older faraday boxes and bags may not block the higher frequency signals and instead recommends using airplane mode.
  Mobile Forensic Minute 103
  
  
• John Lambert updated his presentation on “Office Macro Lures 2.0”
  Check out @JohnLaTwC’s Tweet

• Sergie Alvarez aka Pancake presented at “33C3: works for me” about Radare.
  Radare Demystified: After 1.0

• Jonathan Rajewski, the Director of the Senator Patrick Leahy Center for Digital Investigation at Champlain College, presented at TEDxBuffalo on how IoT is making Cybercrime investigation easier. This links quite nicely to the article shared by Forensic Focus; US investigators have requested Amazon Echo data from Amazon. This was inevitable as IoT devices store a wealth of information that may be useful in an investigation.
  How the IoT is Making Cybercrime Investigation Easier | Jonathan Rajewski | TEDxBuffalo

• This week’s Digital Forensics Survival Podcast provides an overview on the Direct Memory Access exploit for bypassing passwords on locked devices. Attackers/examiners can utilise a tool like Inception and connect to a device via an interface that supports DMA (think Firewire, PC-Express, Thunderbolt) and are able to access and download a section of RAM. They are then able to obtain the login credentials and use them to access the locked device.
  DFSP # 045 – RUN DMA
  
  
• Dave and Davida hosted the last Forensic Lunch of the year! David gave his thoughts on the GRR project and how it’s progressed and how they’ve used it in the field. David also talked about a few of the interesting cases that he worked on this year, and a couple of the things planned for 2017.
  Forensic Lunch 12/30/16
  

FORENSIC ANALYSIS

• Digital Forensics Corp shared a number of articles this week
  • They shared an article by Christian Zibreg from the iDownloadBlog on the data that can be extracted from an iPhone using a Cellebrite UFED device.
    What Types Of Data Can Be Extracted From An iPhone?
  • They shared a Sysmon configuration created by Florian Roth that focuses on  malware detection (execution and network connections, and exploit detection
    Get Info About Sysmon Base Configuration – Workstations
  • They shared Deepak Kumar’s list of DFIR tools, however, the link doesn’t seem to work (redirects to Facebook and asks to log in); but I found it on LinkedIn here
    Deepak Kumar’s List Of Vapt DFIR Tools.
  • Oleg and Igor wrote a walkthrough for using Oxygen Forensic Detective to extract passwords from a dump of a Windows Phone device. I like these kinds of articles because they show the capability of a tool; rather than saying “our tool does this” they can show the process so that you can make the determination that the tool does what you need it to do.
    Passwords Extraction From Dumps Of Windows Phone Mobile Devices Via “Oxygen Forensic Detective”
  • They shared an article by Kevin M. Thomas on “Assembly Language – Basic Malware Reverse Engineering”
    Basic Malware Reverse Engineering: Part 39
  • Maxim Suhanov talks about a GRUB module that he wrote “to perform simple disk-to-disk acquisitions using the 0x13 BIOS interrupt”.
    Acquisition Of A Fake Raid Using GRUB
  • Lastly, they linked to an article on cybersecurity in Singapore.
    Evolution of Cybersecurity
    
    
• Matt Bromily’s Zeltzer Challenge continues!
  • Matt introduces a new tool he’s written called RedSketch, which converts Redline data into the Timesketch format.
    Scripting Saturday: Redsketch
  • Matt shares his thoughts on submitting talks to conferences and encourages people to do so – even with the possibility of rejection, the process of submitting means you’re getting yourself out there, and have found something you’ve thought is interesting enough to share. Rejection can come from any number of reasons and should be used to motivate you to either dig deeper or share the information elsewhere. If it’s something that you find indispensable then I’m sure another person will as well. It also seems that Matt’s offering himself up as a sounding board: “If you’ve got a new tool, method, or technique, I want to know. If you’ve got a way to teach an old dog new tricks …, then I want to know.” – If you’re hesitant about presenting something, or you don’t know if it will pass muster, then get out and talk to people about it and see if it’s something worth sharing!
    CFPs are for Everyone
  • This post expands on last Friday’s packet capture analysis and explores the VBE script (Encoded VBScript) that was located.
    Malware Monday: VBScript and VBE Files
  • Torvalds Tuesday focuses on Bash History. As Matt mentions, I’d highly recommend looking at this presentation on bash history to get an understanding of how it’s generated. Matt explains an interesting technique for adding context to bash history when timestamps aren’t turned on; for example looking at commands for package installs and then comparing them with the log identifying when the package was installed. Then, using other artefacts you can continue to add context, similar to how you can create a mini-timeline with the RecentDocs Windows registry key.
    Torvalds Tuesday: Bash History
  • This post provides an overview of the Prefetch forensic artefact, and how it can be used to provide information about program execution.
    Windows Wednesday: Prefetch Files
  • And progressing from looking at the artefact, Matt provides an overview of Eric Zimmerman’s PECmd Prefetch Parser.
    Tooling Thursday: PECmd
    
    
• There were a few articles shared on Cyber Forensicator
  • They shared an article by Dauda Sule on the basics of eDiscovery.
    A Beginner’s Guide to eDiscovery
  • They showed how to acquire a Meizu MX4 Android smartphone using Belkaimager. The acquired image can then be opened by BEC.
    Android Acquisition and Analysis with Belkasoft Evidence Center
  • They shared a tool called Dislocker that “is a FUSE driver to read/write Windows’ BitLockered volumes under Linux or Mac OS X”.
    Unlock BitLockered volumes under Linux or Mac OS X with Dislocker
    
    
• Darlene Alvar shared a series of tips from their trainer, David Spreadborough, for using Amped FIVE.
  Amped Advent Calendar: useful tips and tricks in Amped FIVE
  
  
• Andrew Swartwood at Between Two DFIRns has written a post describing how to replicate a few common analysis workflows from Bash into Powershell.
  DFIR Command Line Analysis – Moving from Bash to Powershell
  
  
• Didier Stevens at NVISO Labs walks through some PDF analysis with his pdfid and pdf-parser tools.
  PDF Analysis: Back To Basics
  
  
• The December 2016 Journal of Digital Investigation has been released.
  Digital Investigation – Volume 19, Pages A1-A4, 1-78 (December 2016)
  
  
• Scott Piper at Summit Route walks through the setup process of go-audit a tool that “helps make sense of the data that can be collected with auditd”. He then shows how it can be used in conjunction with logstash and gcore to catch an attacker executing processes.
  Catching attackers with go-audit and a logging pipeline
  
  
• There were a couple of articles on Forensic Focus this week
  • Elcomsoft have written a post about Android, and the various service’s use of the location data it provides.
    Who Is Spying On Android Users, Why Do They Do It And What Are They Doing With The Data?
  • “Yuri Gubanov presents a recap of the articles, product releases, events and more which have defined Belkasoft in 2016.”
    Belkasoft Marks A Successful 2016
    
    
• The SANS InfoSec Reading Room have posted Kaleb Fornero’s whitepaper on monitoring DNS for misuse. The paper outlines “the way in which DNS may be abused for command and control channels as well as data exfiltration by deconstructing deceptive packets and outlining the anomalies within them.”
  Is Anyone Out There? Monitoring DNS for Misuse
  
  
• Guy Bruneau has posted on the SANS ISC Handler Diaries about how to use daemonlogger to capture traffic from one of two interfaces on his gateway, and forward a copy to “a third interface connected to [his] packet sniffer”.
  Using daemonlogger as a Software Tap
  

MALWARE

• Roy Moshailov at Morphisec unpacks some malware distributed by a maldoc. Roy also points out that the small bits of evasion code (checking recentdocs to see if there’s data in it) can limit static-based solutions.
  Evasive Malware Campaign with Faked HM Revenue and Customs Attachment
  
  
• Nikita Buchka at Securelist examines an Android trojan, Trojan.AndroidOS.Switcher, that “attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network” instead of the user. Once it’s on your phone it attempts to brute force your router password using a dictionary attack and then modifies your DNS.
  Switcher: Android joins the ‘attack-the-router’ club
  
  
• Brooks Li and Joseph C. Chen at TrendLabs examine the newly updated Sundown EK which now incorporates steganography “to hide their exploit code”.
  Updated Sundown Exploit Kit Uses Steganography
  
  
• Scott J Roberts shared a series of links to the recent US response to Russian hacking/influencing the recent election. The end of the post includes a series of IOCs that people may find useful.
  United States Response to Grizzly Steppe
  
  
• Robert M. Lee also provides his thoughts on the DHS and FBI’s Joint Analysis Report (JAR).
  Critiques of the DHS/FBI’s GRIZZLY STEPPE Report
  
  
• Malwaretech evaluates a list of arguments for open source ransomware. On the face of it, open source ransomware sounds like a ridiculous idea; but after reading through this list of arguments, it still sounds like a ridiculous idea.
  Why Open Source Ransomware is Such a Problem
  
  
• Brad Duncan at Palo Alto Networks examines the evolution of the pseudo-Darkleech malware campaign since March 2016.
  Campaign Evolution: pseudo-Darkleech in 2016

MISCELLANEOUS

• Adam at Hexacorn has a post on Visual Studio compiled program reversing where he identified an issue with a sig file relating to alignment bytes.
  IDA, function alignment and signatures that don’t work…
  
  
• Ryan McGeehan at Starting Up Security talks about the insider threat, specifically regarding the Expedia Heist, where “a technical insider with admin privileges” stole confidential information and used it to obtain a benefit of $350K.
  Learning from the Expedia Heist
  
  
• Rick McElroy at Carbon Black compares attribution in the physical and digital worlds.
  When It Comes to Attack Attribution, the Physical and Cyber Worlds Differ Greatly
  
  
• Jerry Gamblin has performed some analysis on the IPs released in the FBI/DHS report and found that “the Grizzly Steppe data it is disjointed, ambiguous and really doesn’t provide any actionable data for most companies.”
  Grizzly Steppe IP and Hash Analysis
  
  
• Vladimir Katalov at Elcomsoft investigates the claim by the FBI that they are able to “access information on most smartphones they are dealing with, even if encryption is enabled”. He concludes with several suggestions for securing your devices to prevent unwanted physical access.
  FBI Can Unlock Most Devices They Need To
  
  
• Bruce Chen has shared all of his 33C3 CTF challenges writeups.
  Check Out @bruce30262’s Tweet
  
  
• Christian at Cyint Analysis has shared his favourite threat intel tweets of 2016.
  My Favorite Threat Intel Tweets of 2016
  
  
• Andreas Sfakianakis has published his list of top stories throughout the year relating to “DFIR, Threat Intel and Threat Hunting”.
  Threat Intel Annual Reads 2016
  

And that’s all for 2016! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!